This Week in Cybercrime: Former State Government Employee Used Driver’s License Database Access to Snoop on Thousands

It’s hard enough to keep your personal information out of the hands of cybercriminals bent on using it to steal from you or fraudulently acquire things in your name. But it seems like there’s no hope when organizations you trust with your personal details—like the Minnesota Department of Public Safety—mishandle them. That was likely the case for roughly 5000 state residents who found out this week that a former state employee has been charged with illegally accessing the records associated with their driver’s licenses. The data thief, who was once the state's Department of Natural Resources Enforcement Division's administrative manager, was authorized to look at a resident's records when they related to his office’s official business. But between 2008 and last October, he used his credentials to query the state Driver and Vehicle Services database more than 19 000 times. He looked up the names of politicians, judges, county and city attorneys, police officers, news reporters, family members and other state employees. Most of his downloads were of women whose pictures appeared in the database.

According to a Kaspersky Lab Threatpost article, four people who have been notified that their records were wrongfully accessed are suing the alleged perpetrator and other state employees. “They said the data breaches caused severe emotional stress and physical harm and were the result of ‘lax policies and lax enforcement’ that allowed an unsupervised, unmonitored Hunt to continually access records for years,” says the Threatpost article.

Government Agencies, Military Among Users of Vulnerable Industrial Control System

What do the FBI, the Drug Enforcement Agency, the U.S. Marshals Service, the IRS, the U.S. Passport Office, the British Army, and Boeing, have in common? They are just a few of the thousands of organizations whose facilities depend on an industrial control system with a security hole that could allow attackers to remotely control critical building functions such as electronic door locks, lighting systems, elevators, electricity and boiler systems, video surveillance cameras, alarms. The vulnerability in the Tridium Niagara AX Framework was reported on 5 February at the Kaspersky Security Analyst Summit.

Billy Rios and Terry McCorkle, security researchers with Cylance, demonstrated a zero-day attack that yields access to the system’s config.bog file, which holds login credentials and other data for operator work stations, and controls the systems that are managed by them. The exploit, say Rios and McCorkle, takes advantage of a vulnerability that gave them root on the system’s platform. “The platform is written in Java, which is really, really good from an exploitation standpoint,” Rios told Wired. “Once we can own the platform, a lot of the other stuff is very, very straightforward [to attack],” said Rios.

Rios and McCorkle reported that a search turned up roughly 21 000 Tridium systems that were accessible over the Internet.

In a written statement, Tridium revealed that the researchers notified it about the vulnerability in December; it has been working on a patch, which it says it expects to release by 13 February. In an attempt to downplay the vulnerability, the statement noted that, “The vast majority of Niagara AX systems are behind firewalls and VPNs—as we recommend—but clearly, as Rios and McCorkle have shown, there are many systems potentially at risk.” That’s a change of tune from Tridium’s stance just last year, when it told the Washington Post that its systems benefited from security through obscurity.

Tried-and-True Thieving Techniques Taken Up Again

Cyberthieves have developed sophisticated malware that can infiltrate a victim’s computer, allowing a thief to tap into online banking sessions initiated by customers in real time. Such malicious code is capable of conducting fraudulent transactions right under the victim’s nose and covering its tracks by updating the account balance and transaction history display in the victim’s browser. But because banks have developed countermeasures including software that detects anomalies in customers’ online access, some crooks are eschewing session hijacking and going back to the old and familiar: stealing login credentials for subsequent access from a separate computer. This shift was confirmed by researchers at security firm Trusteer, who reported this week that they noticed changes in the Tinba and Tilon financial Trojan programs. According to a 7 February blog post by Amit Klein, Trusteer's chief technology officer, the Trojans divert a customer attempting to access his or her bank’s website to a fake version. The rest is history, says Klein:

“Once the customer enters their login credentials into the fake page the malware presents an error message claiming that the online banking service is currently unavailable. In the meantime, the malware sends the stolen login credentials to the fraudster who then uses a completely different machine to log into the bank as the customer and executes fraudulent transactions.”

Now banks have to be on the lookout for both the new and (relatively) old-school techniques.

Adobe Releases Emergency Security Update

On 7 February, Adobe released a patch for its Flash Player meant to stop hackers from using two zero-day vulnerabilities to take over Windows PCs and Macs. Adobe was already planning to release a Flash Player update on 12 February, but because the software maker was “aware of reports that CVE-2013-0633 is being exploited in the wild in targeted attacks designed to trick the user into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash content," it released the fixes as soon as they were ready. The other vulnerability was being used for so-called drive-by attacks that victimize computer users who navigate to a malicious website hosting an exploit.